The SitePoint Forums have moved.

You can now find them here.
This forum is now closed to new posts, but you can browse existing content.
You can find out more information about the move and how to open a new account (if necessary) here.
If you get stuck you can get support by emailing forums@sitepoint.com

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Members & Admin area using sesions

I'm setting up a members area on my site using php sessions. I also have an admin area which uses sessions too.

What would be the best way to stop members that are logged in (that have session info set) from being able to access the admin area? I thought I had it setup ok, but after doing some testing I noticed that if I logged into the members area and then tried accessing the admin area, I was able to get access because the session info was already stored, albeit not with the right username and password.

Instead of just looking for an existing session on every login-required page you should re-login with the session data. Doing that you could fetch any data from your database that stores the rights of the user (or simply if he's an admin or not).

Yes. The re-validating the data is of course optional since you already have logged in once but I like doing this extra check for security. The important part is to get the permissions/rights for the logged in member and check if he can access the page.

1 being a standard user and 3 being a site admin. When they login, store their user level in the session, then keep checking against that.

You can then display pages or additional navigation items based on their privileges. .... and like Gaheris said, perform the odd check on the DB to make sure user levels haven't changed during the session.